By Corin Imai, Senior Security Advisor, DomainTools
Cyber Threat Intelligence (CTI), the collection and analysis of information about current and potential cyber-attacks and attempts, has evolved significantly in recent years. The accumulation and research of cyber threat data across human insights, open source information, and technical intelligence from cybersecurity tools has reached mainstream adoption, according to a 2019 Ponemon Report: The Value of Threat Intelligence from Anomali. Now viewed as a critical resource for enterprise security, CTI is widely relied upon to inform and develop proactive cybersecurity measures.
With new challenges emerging, improvements in CTI best practices have come at an opportune time. An ever-changing matrix across commoditized malware, nation-state actors, cyber cold warfare activities, and a broadening landscape of connected devices that need to be secured is pulling cybersecurity teams in a myriad of directions. As cybersecurity technology has advanced, practitioners and experts have deepened their knowledge on how CTI is collected, shared and used. However, practitioners with relevant and appropriate expertise, leave organizations lacking the resources needed to effectively stay ahead of threat actors. The shortage of skilled cybersecurity practitioners around the globe has never had more of an impact, according to research from (ISC)2 which discovered 63% of participating organizations are suffering through a shortage of IT staff dedicated to cybersecurity. Moreover, nearly 60% of respondents said their companies are at “moderate” or “extreme” risk of cybersecurity attacks as a result of the shortage.
Given these challenges, the strategic use of CTI is critically important. Enterprises are beginning to recognize this and prioritize threat intelligence. The 2019 EMA Megatrends in Cybersecurity report found that threat intelligence is an important area of focus for security practitioners in the coming year. In the study, when asked “which of the following broad security initiatives are driving current priorities in your overall security program?,” respondents ranked improving threat intelligence among the highest in the ‘expanding’ bucket, at 57 percent, with only 8 percent of companies not prioritizing threat intelligence in some way.
To better understand trends around CTI best practices and how they have changed, the SANS Institute recently conducted its fifth consecutive Cyber Threat Intelligence Survey. The 2019 results revealed insights into CTI as a mechanism for cybersecurity detection, prevention and response, and how its use has evolved alongside the cybersecurity ecosystem.
The survey results were clear that CTI is on an upward trajectory both in the number of organizations using it and the extent to which it is applied. Seventy-two percent of respondents said they are utilizing CTI in some way, which is an increase from SANS’s 2018’s findings (68 percent). Respondent organizations are leveraging it for threat detection, or response, or both. And an increasing variety of information – including indicators of compromise, threat behaviors, adversary tactics, attack surface identification, and strategic analysis of the adversary – is being used. Nearly one-third said they use threat behavior information and 41 percent use indicators of compromise.
In previous SANS surveys, security practitioners said they were focused primarily on raw threat data, but today, they have elevated their use of CTI to drive strategy. Sixty-four percent said strategic-level reports, with threat data relevant to their specific organization or industry, drive the most value and enable intelligence-driven threat hunting, another indication of increasing sophistication in CTI practices.
Redefining Best Practices
Areas of improvement also emerged in the survey. Collaboration and threat information sharing among peers and law enforcement are critical to unlocking the value of CTI, and 69 percent of survey respondents agreed that these practices improve the timeliness and relevance of threat information. While information -sharing programs were also recognized as valuable in a number of additional areas, only about half said they are collaborating in this way.
There is work to be done in better identifying and defining requirements as well. Only 30 percent of survey participants noted that they have their CTI requirements documented and 37 percent said their requirements are ad-hoc.
Enterprises looking to deepen the value of their threat intelligence programs have a range of opportunities to do so. These include improving collaboration, standardizing best practices, and taking the time to identify knowledge gaps. SANS recommends that industry practitioners continue to embrace new applications and methods for utilizing CTI. Leveraging it to roadmap user education programs was one suggestion given by survey respondents.
About the Author
Corin Imai is Senior Security Advisor for DomainTools. She began her career working on desktop virtualization, networking and cloud computing technologies before delving into security. Corin can be reached online at our company website https://www.domaintools.com/